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With the increase in the computation power of devices wireless 
communication has started adopting machine learning (ML) techniques. 
Intelligent reflecting surface (IRS) is a programmable device that can be 
used to control electromagnetic wave propagation by changing the electric 
and magnetic values of its surface. State-of-the-art ML especially on deep 


learning (DL)-based IRS-enhanced communication is an emerging topic. Yet 

while integrating IRS with other emerging technologies possibilities of 
Keywords: adversarial data creaping is high. Threats to security, their mitigation, and 
6G complexes for Al-powered applications in next generation networks are 
continuously emerging. In this work the ability of an IRS enhanced wireless 
network in future-generation networks to prevent adversarial machine- 
learning attacks is studied. The artificial intelligence (AI) model is used to 
minimize the susceptibility of attacks using defense distillation mitigation 
technique. The outcome shows that the defensive distillation technique 
(DDT) increases the strength and performance by around 22% of the AI 
method under an adversarial attack. 
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1. INTRODUCTION 

Next generation networks called NextG or 5G and 6G, are gaining more attention in both industry 
and academia. Consumers are expecting a high demand and new ways of communication. Based as a study 
by the international telecommunication union, mobile network traffic on 5" or 6" generation future networks 
will constantly increase year over year using thousands of pentabytes [1], [2]. The principle NextG 
networksis to transmit data immediately with least amount of delay between hardware and software devices 
and is commonly used in fields such as e-health medical services,cloning, artificial authenticity, various 
autonomous vehicles and online e-learning [3]. Next generation technologies are also used to enhance 
computing and communications systems. Artificial intelligence (AI) is one of the strong platforms that is 
very important in developing inventory models in the next generation network [4], [5]. 

An intelligent reflecting system (IRS) upgraded with multiple input and multiple output (MIMO) 
uses millimeter wavesand is a powerful and efficient method interms of channel capacity and data 
transmission ratio. It is also capable of reconfiguring wireless systems to obtain more concentration. IRS 
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utilizes a huge amount of minimum-cost passive send-back elements whose signals constructively add to the 
destination network, improving the output of the wireless communication networks. The AI model reduces its 
effective training, despite the various tools such as cyber security and AI, yet metamorphic and polymorphic 
security attacks. These adversarial attacks manipulate the AI model by intentionally mixing the original data 
with unwanted signals to the dataset and misguiding it [6]. 

In this article, an AI-IRS system is proposed for next generation networks to reduce the vulnerability 
to a minimum level in the academic and business environment [7], [8]. This involves: 
i) calculating the susceptibilities of the AI methods of the IRS system by the adversarial attacks using fast 
gradient sign method (FGSM) and basic iterative method (BIM); ii) proposing a defensive distillation 
mitigation algorithm to improve the robustness and efficiency of the Al-model on the IRS system; and 
iii) training the AI-IRS systems to produce and maintain robust output data under undefended and defended 
methods using FGSM and BIM adversarial attacks. 


2. METHOD 
2.1. Intelligent reflecting surface wireless communication 

Wireless communication quality can be enhancedusing IRS wireless communication system which 
significantly improves the efficiency of communication between a sender and receiver. The destination 
receives both the line of sight (LOS) waves from the LOS connection and constructive send-back signals 
from the IRS recipient during idle time [9]. IRS can improve communication systems by dynamically 
changing wireless channels and adjusting the signal reflection surfaces via a large number of inexpensive 
passive reflecting devices. Though IRS-supported hybrid wireless network with passive and active 
components promises to achieve long-term and cost-effective capacity growth, it needs to overcome certain 
obstacles such as channel estimation, deployment, and reflection optimization [10]. 

This suggests that machine learning (ML) model has to be trained to detect the domain signifiers to 
expect the possible rate with each IRS interaction communication route. This can be achieved by the current 
developments in deep learning in which, the transmitter should reflect the sent data to the receiver and the 
IRS interaction route should be compatible with the highest expected realistic rate to be used. The method is 
referred to as the Al-method on the IRS system, this work where its weakness is examined and evaluated 
using defensive distillation mitigation strategy [11], [12]. 


2.2. Adversarial machine learning 

Adversarial ML is used in a variety of applicationsandis primarily used to implement malicious 
attacks or reasons for ML model malfunctioning [13]. The principle is to train the models to automatically 
understand the original designs of the working procedure and relationships in data using the trained 
algorithms [1]. Post training is mostly used to calculate and analyze the outlines in given information [14]. 
Figure 1 shows the steps involved in wrong prediction due to attack on machine learning technique. The 
precision range of the trained model is important for obtaining a better outcome, which is addressed as a 
generalization. The various types of adversarial machine-learning attacks include data evasion, poisoning and 
model attacks [15]. Adversarial ML methods are used to finalize, locate adversaries and produce planned 
betrayals of the ML model. 


hem eh »—9O 


Data Elements Perturbation Adversarial Samples Machine learning classifier Wrong Prediction 


Figure 1. Adversarial attacks on data 


The sample model input should confuse the model by executing an invalid classification with the 
given data that can be used to operate certain blind dots in image classifiers [16], [17]. This article's goal is to 
examine the most recent adversarial ML techniques to create and identify adversarial samples. Both targeted 
and non-targeted evasion attempts aim to persuade models to incorrectly identify malicious examples as valid 
data points. Targeted attacks attempt to persuade ML models to include adversaries in a special target model. 
Non-targeted attacks are designed to force ML models to order the adversarial example as a different model 
than reality [18]. The goal of data poisoning is to generate false data points that will be used to train ML 
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models in producing the desired results. Data poisoning can be used to produce the desired results using ML 
methods. Some examples of adversarial attacks are FGSM and BIM. 


2.2.1. Fast gradient sign method 

FGSM is a one-step attack in which the perturbation is added in a single step rather than over a loop. 
The fast gradient sign method involves the following three steps: first step is tocompute the loss function and 
forward propagation and next step involves the calculation of gradient based on the pixels of the image and 
finally orward the image pixels a little bit in the direction of the estimated gradients to increase the loss in the 
previous steps [19]. 

A negative likelihood loss technique is applied to determine how closely the model's prediction 
matches the actual class. The computation of the gradients concerning the image pixels is unusual. Gradients 
are used in neural network training to determine the direction in which weights need to be changed to reduce 
the loss values. As an alternative, in this case, input image pixels are moved in the gradient's direction to 
increase the loss value. Back propagating the gradients from the start to the weight is the most commonly 
used method when training neural network to determine the direction by which a specific weight is altered 
deep in the neural network. In such situations, a similar idea [20] the gradients being returned to the input 
image from the output layer is applied. 

The following mathematical formula is given to move the weights to reduce the loss value in neural 
network training: 


updated_weights = previous_weights — learning_ratio P? ee Xgradients (1) 
the following mathematical formula is used to increase the loss and move the pixel values of the image: 

new_pixels = old_pixels + epsilon * gradients (2) 
furthermore, the following algorithm is applied for perturbation in the fast gradient sign method. 

xadv = X + e.sign(Vyk(x, Virue)) (3) 


Where X%” is the adversarial image, sis the perturbation and (Vak(x, Yerue)) is the first derivative 
of the loss function concerning the input x. In the case of deep neural networks, this can be calculated using 
the back-propagation technique. 

The following equation is used for targeted FGSM attacks: 


yow —~ Xx —e. sign (Tra) i 


X44” is equal to the negative of k. In this case of targeted attacks, the loss function between the targeted 
class and the predicted class is minimized, whereas an untargeted attack maximizes the loss function between 
the predicted class and the true class [21]. 


2.2.2. Basic iterative method 

ML algorithms iteratively study the data that permits the machine to find the hidden forms within 
the data [22]. The objective of a basic iterative algorithm is to find the best solution from the data set. These 
algorithms learn from previous experience that consistent and repeatable decisions are made to obtain the 
best solution [23]. 

The method can be repeated several times with small step sizes. This technique involves clipping the 
pixel values between the results in each phase to ensure that they are in the vicinity of the original image. 
That is within a certain range of the previous image's pixel value. 

The following mathematical calculation is used for generating the perturbed pictures using this basic 
iterative method: 


x6 = x, xpi = Clipse xh? + a. sign (Vk (R, Yerue))} (5) 


X4Y and x are the adversarial images at the ith step and input image respectively, k represents the means 
loss function, Ytrue is the output for input x, € is the tuneable value and alpha is the step size. An overview of 
iterative algorithm is provided in Figure 2. 
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Figure 2. Overview of the iterative algorithm 


3. WORK CONCEPT 

In neural network architecture and defensive distillation technique (DDT), the input data received 
from the user devices is used to IRS prediction method. Defensive distillation training networks is covered 
using a defended model which has deep neural networks with large network and shallow neural networks 
with small neural network [24], [25]. The overall system design for the proposed AlI-powered intelligent 
reflecting surface system is shown in Figure 3. The figure shows that during the prediction model training, a 
shallow neural network model, protected against adversarial ML attacks in mobile base stations. Adversarial 
attacks are applied in defended and undefended method to evaluate the methods under any attacks. 
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Figure 3. Al-powered intelligent reflecting surface systems 


3.1. Neural network architecture 

Neural network technique also called deep learning, the principles of human brain while processing 
data using a computer [26]. As shown in Figure 4, it uses interconnected nodes or neurons in a layered 
structure that resembles the human brain. The neural network inputis a signal from the transmitter and 
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receiver of the uplink pilot. The neural network's output is a prediction score based on the input signals from 


the transmitter and receiver. Neural network consists of multiple layers of networks [27]. The output falls 
under multilayer layer perception in which inputs are processed by multiple layers of neurons. 


Input Layer Hidden layers Output Layer 


Figure 4. Neural network architecture 


3.2. Defensive distillation technique 

Defensive distillation technique is one of the most popular adversarial training method that adds 
flexibility to the classification process of an algorithm, making the them less prone to attacks. DDT employs 
defensive knowledge distillation to train the model to be more powerful. Knowledge distillation was 
previously introduced by Catak et al. [28]. In this technique the knowledge of the master (densely connected 
neural network) is transferred to a slave (sparsely connected neural network). In knowledge distillation, the 
slave should perform similarly to the master by imitating the master's output, which causes soft labels to be 
used to train the slave network using the master node. 

The workflow of the DDT consists of three steps. Step 1 is training the master model with the loss 
function for the classification of inputs. Step 2 again trains the previously trained master model with the 
defensive distillation method that produces a soft label and a cross-entropy loss function to generate the 
corresponding soft labels as outputs and the last step involves training the slave model using the soft labels 
from the previous process labels to produce a better, more robust and more accurate method. Algorithm 1 
provides the defensive distillation technique used in this study to counter adversarial attacks in machine 
learning. The defensive distillation parameters of this study are provided Table 1. The loss function is defined 
as (6): 


Algorithm 1. Defensive distillation 
Function defensive distillation 
Call defensive () 
End Function 
def defensive () 
1: Read Dataset DS, Base Model M7, Cross Entropy A, Adversarial pertubation € 
2: Number of iterations N 
3: Minimize the cross entropy loss LCE on Dataset DS 
4: Initialize the defensive distillation model Mps =M,,i=0 
5: while i< N do 
Read the samples x and Labels y 
Compute the following: 
Cross-entropy= Leg(0) 
Kullback Leibler Divergence= Lg,p(Pr(y/@), Pr(y)) 
Compute defend distillation loss: 
Lop) = (1 - A) Lee (@)+L xr (Pr(y/9), Pr) 
Calculate FGSM and BIM with 
FGSM Xaav = X +€ X sign(Vyl) 
BIM Xadav = Xaav + € X Sign(Vxl) 
Update Mps 
icit+l 
6: Endwhile 
7: return Mps 
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Table 1. Defensive distillation parameters 


Parameter Description 

Lpr Distillation loss function 

Lee Cross-entropy loss 

Pr(y) Output of the shallow neural network model 
Pr(y/@) Output of the deep neural network model 
Let Kullback leiblerdivergence (KL) loss 


Parameter between KL divergence and cross entropy 


Lpr (0) = (1 — A)Lce (0) + Let (Pr(y/8), Pr(y)) (6) 


4. EXPERIMENTAL AND RESULTS 
AlI-powered IRS methods evaluated using mean square error (MSE) algorithm. MSE scores are used 
to evaluate the model vulnerabilities under protected and unprotected conditions. The MSE is calculated as: 


MSE = BOY" (7) 


where: n denotes total number of samples, Y, the actual data value and ¥, the predicted data value. 

The output represented in the form of bar plots (Figures 5 and 6) and histogram (Figures 7 and 8), 
which shows the MSE values for each adversarial ML attack on the protected and the unprotected systems. 
Table 2 shows that the prediction of performance outputs for the protected and unprotected Al-powered IRS 
method countering the attacks. The publicly available ray trace MIMO datasets are adopted to generate the 
training data and compare with the Al-powered IRS method. Based on the ray-tracing data obtained from the 
value ray-tracing simulation outline, the MIMO dataset parameter was used to build the MIMO channels. 

The adversarial attack on the Al-powered method has become more popular with several attacks. 
BIM and FGSM types are used in this study to generate adversarial examples. The performance of each 
model was estimated through the MSE parametric. 

The trained Al-powered IRS method was simulated using a python, tensor-flow framework 
executed using a Google Colab Tesla GPU with 16 GB memory. The adversarial input data were generated 
using the Cleverhans library. Figure 5 shows that MSE values for the selected attack method under the attack 
powers from 0.01 to 0.10. The MSE values are similar to both BIM and FGSM algorithms and is around 0.08 
for all attack powers. Furthermore, MSE values for BIM attacks rise with increasing attack power, ranging 
between 0.008 and 0.009. The output shows that Al-powered models are considered vulnerable to adversarial 
attacks. Mitigation technique are broadly used to improve the robustness of Al-powered model against 
adversarial attack [29]. Based on this observation, the DDT was applied in this method to reduce the 
vulnerability against adversarial attacks. The performance of the Al-powered is estimated in terms of MSE 
after applying the mitigation method. 
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Figure 5. MSE value vs attack power (undefended models) 


The MSE values against adversarial attacks range from 0.01 to 0.04 in Figure 6. The above cure 
depictsthat the Al-powered is still prone to adversarial attacks, its robustness is better against adversarial 
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attacks. It was observed that the model can resist any attack under low attack power that is less than 0.30. 
Increasing the mean square value implies that high power attack is excepted. The effect of the mitigation 
technique on the performance is not the same for all attacks. The MSE values can go between 0.001 and 
0.003 under the FGSM and BIM attack respectively whereas under high attack power it goes up to 0.003 for 
BIM. On the other hand, the attack power under the FGSM attack is low when the mitigation technique is 
applied to the model. The output indicates that the defensive distillation model significantly contributes to the 
model's robustness against adversarial attacks. 
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Figure 6. MSE value vs attack power (defended models) 


Figure 7 examines the variation of MSE values for undefended under adversarial attacks. Based on 
the output data, the undefended AI models under FGSM adversarial attacks. Based on the output data, the 
undefended model corresponds to a moderate right skewed distribution which has a maximum out to the left 
of the distribution. The MSE values differ from 0.004 to 0.024 for all types of attacks. The percentage of high 
MSE values is lower than that of the undefended model. This indicates that the mitigation technique can 
significantly improve the method robustness under FGSM attacks. 
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Figure 7. MSE values vs percentage (undefended model) 


Figure 8 examinesthe distribution of MSE values fordefended method under adversarial attacks. 
Based on the output data, the defended model to represent a slight right-skewed distribution such as the 
undefended model. Based on that it can be stated that the Al-powered model can accurately predict the target 
values. Against FGSM attacks defended holds are found to be more effective. This indicates that the 
robustness of the model can be dynamically enhanced with mitigation techniques against FGSM attacks. 
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Figure 8. MSE values vs percentage (defensive distribution) 


Table 2. Parameter setting 


Parameters Values 
Frequency band (f) 28 GHz 
Active base stations (bs) 4 
Number of antennas (M) {(1, 16, 32); (1, 32, 64)} 
Receivers (rx) R1100 to R1500 
Transmitter (tx) Row 900 

Column 95 

Bandwidth(bw) 100 MHz 
Number of subcarriers (sc) 512 
OFDM sampling factor (sf) 1 
OFDM limit (limit) 64 
Number of channel paths (path) 1 
Antenna spacing (A) 0.54 


5. CONCLUSION 

AI is the most important technology to the improvement of the performance of next generation 
network. This article examines the vulnerability of Al-powered IRS models against FGSM and BIM 
adversarial attacks. The impacts of the mitigation method such as defensive distillation improves the 
robustness in next generation networks. The output indicate that the Al-powered next generation networks 
are vulnerable to adversaial attacks. The overall result shows that BIM is the most effective adversarial attack 
(30%) on defended than undefended methods. The proposed defensive distillation mitigation method 
provides better results for defended FGSM attacks (22%) than undefended FGSM attacks. Future works can 
focus on vulnerabilities for various adversarial attacks such as Carlini and Wagner, momentum iterative 
method (MIM) and projected gradient descent (PGD) as well as the defensive distillation mitigation method. 
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